AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2025-11-22 · Security-related high

File: bedrock-agentcore/latest/devguide/identity-authentication.md

Summary

Added 'callback_url' parameter to OAuth2 decorator configuration and improved code formatting

Security assessment

The addition of 'callback_url' parameter helps implement proper session binding in OAuth2 flows, which is critical for preventing authorization code interception attacks. This addresses potential security vulnerabilities in the authorization flow implementation.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-authentication.md b/bedrock-agentcore/latest/devguide/identity-authentication.md
index ffe186bb6..e3c1aae49 100644
--- a//bedrock-agentcore/latest/devguide/identity-authentication.md
+++ b//bedrock-agentcore/latest/devguide/identity-authentication.md
@@ -13,11 +13,15 @@ AgentCore Identity enables developers to obtain OAuth tokens for either user-del
-    @requires_access_token(# Uses the same credential provider name created above
-        provider_name= "google-provider", 
-        # Requires Google OAuth2 scope to access Google Drive
-        scopes= ["https://www.googleapis.com/auth/drive.metadata.readonly"],
-        # Sets to OAuth 2.0 Authorization Code flow
-        auth_flow= "USER_FEDERATION",
-        # Prints authorization URL to console
-        on_auth_url= lambda x: print("\nPlease copy and paste this URL in your browser:\n" + x),
-        # If false, caches obtained access token
-        force_authentication= False,)async def write_to_google_drive(*, access_token: str):
-        # Use the token to call Google Drive
+    @requires_access_token(
+        # Uses the same credential provider name created above
+        provider_name= "google-provider",
+        # Requires Google OAuth2 scope to access Google Drive
+        scopes= ["https://www.googleapis.com/auth/drive.metadata.readonly"],
+        # Sets to OAuth 2.0 Authorization Code flow
+        auth_flow= "USER_FEDERATION",
+        # Prints authorization URL to console
+        on_auth_url= lambda x: print("\nPlease copy and paste this URL in your browser:\n" + x),
+        # If false, caches obtained access token
+        force_authentication= False,
+        callback_url='insert_oauth2_callback_url_for_session_binding',
+    )
+    async def write_to_google_drive(*, access_token: str):
+        # Use the token to call Google Drive
@@ -31,3 +35,7 @@ The process is similar to obtain a token for machine-to-machine calls, as shown
-    @requires_access_token(provider_name= "my-api-key-provider", # replace with your own credential provider name
-        scopes= [],
-        auth_flow= 'M2M',)async def need_token_2LO_async(*, access_token: str):
+    
+    @requires_access_token(
+        provider_name= "my-api-key-provider", # replace with your own credential provider name
+        scopes= [],
+        auth_flow= 'M2M',
+    )
+    async def need_token_2LO_async(*, access_token: str):
@@ -111,0 +120 @@ For three-legged OAuth (3LO) flows, your agent needs to provide the authorizatio
+        callback_url='insert_oauth2_callback_url_for_session_binding'
@@ -135,0 +145 @@ For three-legged OAuth (3LO) flows, your agent needs to provide the authorizatio
+        callback_url='insert_oauth2_callback_url_for_session_binding'
@@ -167,0 +178 @@ For three-legged OAuth (3LO) flows, your agent needs to provide the authorizatio
+        callback_url='insert_oauth2_callback_url_for_session_binding'